Direct Attestation Conveyance Verification with Feitian Keys = Invalid cert path

[crollorc]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication/webauthn

Describe the bug

We have Direct Attestation Conveyance Verification working for registration of Yubikey 5 Keys by:

1. KC_TRUSTSTORE_PATHS: /opt/keycloak/conf/truststores/Yubico.TrustedCAcerts.pem
2. Attestation Conveyance Verification : Direct
3. AAGUID: 2fc0579f-8113-47ea-b116-bb5a8db9202a

We are now trying to do the same for Feitian FIDO2 Keys but registration results in an 'Invalid cert path' error.

Notably the Yubikey and Feitian root CAs are signed differently:

openssl x509 -in conf/truststores/FEITIAN.TrustedCAcerts.pem -text|grep -i Signature
Signature Algorithm: ecdsa-with-SHA256
openssl x509 -in conf/truststores/Yubico.TrustedCAcerts.pem -text|grep -i Signature
Signature Algorithm: sha256WithRSAEncryption

Version

24.0.4

Regression

• The issue is a regression

Expected behavior

Yubikey registration results in the following logs:

keycloak | 2024-05-09 15:33:27,231 INFO [org.keycloak.events] (executor-thread-15) type="CUSTOM_REQUIRED_ACTION", realmId="e672f92a-3ee1-4fda-aa79-9000b9e68154", clientId="account-console", userId="d665c05f-6c5c-483f-94cb-56059738738a", ipAddress="89.234.127.132", custom_required_action="webauthn-register", public_key_credential_id="vHej_XxJPzAHBdf3CBEzBOHrMiUXvRpjS7dCrvZk3Dt7R49ASrRWnZPwdQslpzNLavNR-ScFmKPeqPQrgNQj5A", response_type="code", code_id="36805d8a-7e60-4af6-a3e9-5fc908461f61", public_key_credential_label="WebAuthn Authenticator (Default Label)", response_mode="query", credential_type="webauthn", auth_method="openid-connect", public_key_credential_aaguid="2fc0579f-8113-47ea-b116-bb5a8db9202a", redirect_uri=https://auth.schools.examinations.ie/realms/schools/account/#/account-security/signing-in, remember_me="false", username="us2", authSessionParentId="36805d8a-7e60-4af6-a3e9-5fc908461f61", authSessionTabId="JYxbbVC5vmQ"

keycloak | 2024-05-09 15:33:27,234 INFO [org.keycloak.events] (executor-thread-15) type="LOGIN", realmId="e672f92a-3ee1-4fda-aa79-9000b9e68154", clientId="account-console", userId="d665c05f-6c5c-483f-94cb-56059738738a", ipAddress="89.234.127.132", custom_required_action="webauthn-register", public_key_credential_id="vHej_XxJPzAHBdf3CBEzBOHrMiUXvRpjS7dCrvZk3Dt7R49ASrRWnZPwdQslpzNLavNR-ScFmKPeqPQrgNQj5A", response_type="code", consent="no_consent_required", code_id="36805d8a-7e60-4af6-a3e9-5fc908461f61", public_key_credential_label="WebAuthn Authenticator (Default Label)", response_mode="query", credential_type="webauthn", auth_method="openid-connect", public_key_credential_aaguid="2fc0579f-8113-47ea-b116-bb5a8db9202a", redirect_uri=https://auth.schools.examinations.ie/realms/schools/account/#/account-security/signing-in, remember_me="false", username="us2", authSessionParentId="36805d8a-7e60-4af6-a3e9-5fc908461f61", authSessionTabId="JYxbbVC5vmQ"

keycloak | 2024-05-09 15:33:27,885 INFO [org.keycloak.events] (executor-thread-15) type="CODE_TO_TOKEN", realmId="e672f92a-3ee1-4fda-aa79-9000b9e68154", clientId="account-console", userId="d665c05f-6c5c-483f-94cb-56059738738a", ipAddress="89.234.127.132", token_id="0c876d7b-249c-40ad-8960-1bf2cd8dddd0", grant_type="authorization_code", refresh_token_type="Refresh", scope="openid email roles profile", refresh_token_id="9df9db1e-9a80-4d42-8899-5e3d71c6115e", code_id="36805d8a-7e60-4af6-a3e9-5fc908461f61", client_auth_method="client-secret"

Actual behavior

Feitian registration shows a 'Invalid cert path' error and the related logs are below:

keycloak | 2024-05-09 16:35:27,138 DEBUG [jdk.event.security] (executor-thread-2) X509Certificate: Alg:SHA256withECDSA, Serial:1df2b55a51dc4b6885a3d99e697fed15, Subject:CN=FT FIDO2 0520, OU=Authenticator Attestation, O=Feitian Technologies, C=US, Issuer:CN=Feitian FIDO CA 06, O=Feitian Technologies, C=US, Key type:EC, Length:256, Cert Id:-693187202, Valid from:6/21/18, 12:00 AM, Valid until:6/20/33, 11:59 PM
keycloak | 2024-05-09 16:35:27,139 DEBUG [jdk.event.security] (executor-thread-2) X509Certificate: Alg:SHA256withECDSA, Serial:18152b41b743ae6db41599c3b17d820b, Subject:CN=Feitian FIDO CA 06, O=Feitian Technologies, C=US, Issuer:CN=Feitian FIDO Root CA, O=Feitian Technologies, C=US, Key type:EC, Length:256, Cert Id:1242049463, Valid from:5/20/18, 12:00 AM, Valid until:5/19/38, 11:59 PM
keycloak | 2024-05-09 16:35:27,156 DEBUG [org.keycloak.authentication.requiredactions.WebAuthnRegister] (executor-thread-2) invalid cert path: com.webauthn4j.validator.exception.CertificateException: invalid cert path
keycloak | at com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidatorBase.validate(CertPathTrustworthinessValidatorBase.java:66)
keycloak | at com.webauthn4j.validator.AttestationValidator.validate(AttestationValidator.java:121)
keycloak | at com.webauthn4j.validator.RegistrationDataValidator.validate(RegistrationDataValidator.java:192)
keycloak | at com.webauthn4j.WebAuthnRegistrationManager.validate(WebAuthnRegistrationManager.java:209)
keycloak | at org.keycloak.authentication.requiredactions.WebAuthnRegister.processAction(WebAuthnRegister.java:244)
keycloak | at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:1117)
keycloak | at org.keycloak.services.resources.LoginActionsService.requiredActionPOST(LoginActionsService.java:1052)
keycloak | at org.keycloak.services.resources.LoginActionsService$quarkusrestinvoker$requiredActionPOST_677a8efd4e80bfe1b3aa5a0d6fca2043252c9624.invoke(Unknown Source)
keycloak | at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
keycloak | at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
keycloak | at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
keycloak | at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
keycloak | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
keycloak | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
keycloak | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
keycloak | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
keycloak | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
keycloak | at java.base/java.lang.Thread.run(Thread.java:840)
keycloak | Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
keycloak | at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:157)
keycloak | at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
keycloak | at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
keycloak | at com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidatorBase.validate(CertPathTrustworthinessValidatorBase.java:62)
keycloak | ... 17 more
keycloak |
keycloak | 2024-05-09 14:45:19,539 WARN [org.keycloak.authentication.requiredactions.WebAuthnRegister] (executor-thread-27) webauthn-error-registration
…
keycloak | 2024-05-09 14:45:19,552 ERROR [org.keycloak.events] (executor-thread-27) type="CUSTOM_REQUIRED_ACTION_ERROR", realmId="e672f92a-3ee1-4fda-aa79-9000b9e68154", clientId="account-console", userId="d665c05f-6c5c-483f-94cb-56059738738a", ipAddress="89.234.127.132", error="invalid_registration", credential_type="webauthn", auth_method="openid-connect", web_authn_registration_error_detail="invalid cert path", custom_required_action="webauthn-register", response_type="code", web_authn_registration_error="webauthn-error-registration", redirect_uri=https://auth.schools.examinations.ie/realms/schools/account/#/account-security/signing-in, remember_me="false", code_id="298e3b1a-ba6a-4350-8c67-896c81a8c717", response_mode="query", username="us2"

How to Reproduce?

The Feitian root CA is below:

-----BEGIN CERTIFICATE-----
MIIB+jCCAaCgAwIBAgIQGBUrQbdDrm20FZnDsX2CCzAKBggqhkjOPQQDAjBLMQsw
CQYDVQQGEwJVUzEdMBsGA1UECgwURmVpdGlhbiBUZWNobm9sb2dpZXMxHTAbBgNV
BAMMFEZlaXRpYW4gRklETyBSb290IENBMCAXDTE4MDUyMDAwMDAwMFoYDzIwMzgw
NTE5MjM1OTU5WjBJMQswCQYDVQQGEwJVUzEdMBsGA1UECgwURmVpdGlhbiBUZWNo
bm9sb2dpZXMxGzAZBgNVBAMMEkZlaXRpYW4gRklETyBDQSAwNjBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABO4a8qCmueibWppQp2kSViVTMuqIrYPNCCI7W5MOS2nq
iAAMbtSZagJ1PVVgnkt0jZTl2mGobqq2yay818XaSHyjZjBkMB0GA1UdDgQWBBQy
ro3EXMXNgnUwI4X+t8JqQxJOQDAfBgNVHSMEGDAWgBRLvYcmEa0cic8EWL5w0giM
axYjtzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjO
PQQDAgNIADBFAiAjx6/XCt32ZQpKo0ceA3kqBnSvNmnIDUWZGXKdpkNgIwIhAMUQ
lzrJI3a7KHeTDjTdh3O1O08499QoirmmFuMvFw2A
-----END CERTIFICATE-----

Here is the Yubikey root CA:

-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ
dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw
MDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290
IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk
5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep
8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw
nebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT
9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw
LvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ
hjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4
MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt
hX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k
LVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U
sG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc
U9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==
-----END CERTIFICATE-----

Anything else?

Changing the Signature algorithms has no effect on the error.

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.